|
|
|
Features
< Back
Compliance : Sarbanes Oxley : Technology : Identity Management
The Five Traps in User Provisioning and How to Avoid Them
By
Sara Gates
|
|
Sara Gates
VP Identity Management
Sun Mircosystems
|
The business issues that drive user provisioning solutions today have
changed dramatically since identity-based provisioning and other automated
identity management technologies first appeared on the IT radar. Concerns
like regulatory compliance and enterprise extension hardly existed just
five years ago; today, they?re critical to being competitive and improving
business performance. Here?s a look at five provisioning traps that are all
too easy to fall into in a business environment that has changed so much in
so short a time.
Trap #1. ?Now that we have a user provisioning system in place, we can stop
worrying about users having excessive or non-compliant access.?
This might have been true in the days before compliance became such a
critical issue. And it might still be true today?if all compliance-related
applications were under provisioning management, and if all access rights
were granted through the provisioning system. But that?s likely not the
case. In many enterprises, there are hundreds of Sarbanes-Oxley-relevant
applications that must be brought under provisioning management, and this
will not happen overnight. Furthermore, business needs often dictate
granting application access outside of provisioning. For example, when a
user requires ?super-user? access, that?s almost always granted on an
on-demand basis. The risk is that access changes that don?t go through
provisioning may violate internal audit policy or external regulations.
Auditors have recognized these gaps and are now requiring IT organizations
to document user access to unmanaged systems in external entitlement
databases. However, this does not entirely address the problem. IT still
has no way to continuously check these databases for violations or to
automatically remediate violations. Those steps must be taken manually, a
slow, tedious, and error-prone process that allows users in violation to
keep their access for extended periods and increases the risk of more
serious compliance issues.
A solution that includes both provisioning and identity auditing can reduce
the risk of excessive or non-compliant access. If the auditing capabilities
go beyond mere reporting to scanning the entire access environment
(including external entitlement databases) on an ongoing basis, the risk of
violation is mitigated. Whenever a violation results from access changes?no
matter where those changes are initiated?a converged solution can detect
the problem instantly, and then automatically alert the application owner
to disable the account, pending investigation. In this way, violations are
not only detected, but can be immediately remediated and documented.
Trap #2. ?By implementing user provisioning, we can start fresh with no
compliance violations.?
But what about violations that already exist? In an environment where the
number of applications has been consistently growing over the last few
years, it wouldn?t be unusual for thousands of violations to have
proliferated in that time. A new provisioning system won?t do anything to
address those?unless, of course, it incorporates identity auditing.
A solution that includes auditing capabilities like automated reviews and
proactive scanning will be able to detect all violations in the
environment?including those that existed long before the provisioning
system was put into place. If, for example, [describe a type of violation
that is a good illustration of an existing violation?]
With a converged provisioning and identity auditing solution, the entire
process of detecting and eliminating violations?both new and existing
ones?is radically simplified and streamlined. Identity auditing
automatically detects the violations, reports them to provisioning for
remediation, and documents the entire process for auditing purposes.
Trap #3. ?Our user provisioning system already checks for all potential
compliance violations when granting access through roles and rules.?
Provisioning based solely on role- and rule-based access made perfect sense
when IT?s primary concern was provisioning efficiency. But while a
provisioning system that implements business rules around job codes and
roles may make it faster and easier to grant access, it doesn?t make it
easier to address segregation-of-duties violations and other complex
compliance issues. The problem is that IT security does not own compliance
controls, which are typically documented in spreadsheets by internal and
external auditors.
What happens, for example, when an employee requests the ability to create
a group of suppliers?then later moves into management and requests the
ability to pay the same group of suppliers? That?s clearly a conflict of
interest, and a segregation of duties violation. However, the needs of the
business may dictate that a manager be able to create one group of
suppliers and pay a different group of suppliers. So the employee job
code, department, and title that define business rules and roles used in
provisioning may actually permit the aforementioned violation. This is
especially true if provisioning spans multiple complex applications.
The solution is to link provisioning not only to business rules and roles,
but also to audit policy. That way, access changes have to conform to
business rules (based on user roles) and to audit policies as defined by
internal and external auditors. Detecting violations and potential
violations thus becomes an integral part of the process. So when business
needs dictate an access change that will result in a policy or compliance
violation, the potential problem can be flagged immediately?and prevented
from occurring in the first place.
Trap #4. ?Once this access review cycle is over, we can finally relax.?
In today?s compliance-driven environment, if your access review process
consists of manually sending requests to managers to attest to user
privileges, and then exchanging emails with the managers for months before
all the information is collected and processed, it won?t be long before you
start to think that your review cycles never end. It also won?t be long
before you realize that this approach to reviewing user access is
unsustainable over the long term. A single enterprise today can have
hundreds of Sarbanes-Oxley-related applications?and a manual review of all
users? access to all of them simply can?t be accomplished in any reasonable
amount of time. Besides, you need to be able to detect violations when they
happen, not months later. There?s little benefit to being compliant on day
365 of the fiscal year if you?re not compliant the 364 previous days
because you were still reviewing user access.
There are two ways that a converged provisioning and auditing solution can
improve access review. First, by automating the entire process of reviewing
access, identifying problems, and remediating them, it makes the process
more accurate and efficient. A manual approach to access review takes
forever, and risks human error at every turn. But an automated approach can
quickly and accurately detect and report discrepancies?as well as alert
provisioning to take immediate corrective action.
The other way that a converged solution can help with access review is by
reducing review cycles as the automated review process matures. Here?s how
it works.
• Initially, when the review process is done manually, each manager has
to review every single one of his or her employee?s accounts. The manager
also has the challenge of having to interpret user responsibilities and
access privileges to determine if access is role-appropriate. It?s no
wonder the effort is so time-consuming.
• An automated solution can streamline access review by adding audit
policy to the review process, so that users who conform to policy can be
filtered out of the process. This can reduce the number of users that have
to be reviewed by up to 40%.
• Ongoing scanning can further reduce the number of users that require
review. Regular scanning can detect violations and automatically alert the
provisioning system to take remediative action, which can reduce the number
of users who have to be reviewed by up to 80%.
• Once a converged solution is in place and automated access review is
well underway, the review process can be filtered to review only users
whose privileges have changed. This can reduce the number of users that
have to be reviewed by up to 90%.
In this way, the converged solution speeds access review not only by
automating the process, but also by continually reducing the number of
users that have to be reviewed.
Trap #5. We?ve got all our internal employees under management. That about
covers it.?
Of course it does?assuming you?ll never need to provide access to partners,
vendors, remote workers, customers, or others beyond the physical and
logical boundaries of the enterprise. But today, being competitive often
means being able to quickly establish relationships with third parties.
Service providers, for example, often work together with growing numbers of
other service providers to expand the number and kinds of services they can
offer to customers. And as they succeed in doing so, the number of
customers to whom they must deliver access to services also grows.
In this ?extended enterprise,? identity controls must be extended to cover
a rapidly growing population of external users. And to do that requires
provisioning that can scale. The right converged provisioning and identity
auditing solution for the extended enterprise must be one that?s proven to
scale?to millions of users, if necessary. It?s the only way to ensure the
ability to keep up with competitive pressures and protect identity
technology investments.
If you?ve found yourself falling into one of today?s traps in user
provisioning, it?s not too late to do something about it. Look to converged
provisioning and identity auditing to deliver all the capabilities that the
present enterprise environment demands.
Sara Gates
VP Identity Management
Sun Mircosystems
Sara Gates is vice president of identity management at Sun Microsystems. She is responsible for driving the Sun identity management vision, strategy and product line. She joined Sun Microsystems in December 2003 through the acquisition of Waveset Technologies, bringing over 15 years of industry experience.
Previously, Gates was the director of product management and product marketing at Waveset Technologies, a leading provider of identity management solutions. Prior to Waveset, Gates held market strategy positions at Deloitte Consulting and Microsoft. Gates holds a BBA from the University of Texas at Austin and an MBA from Vanderbilt University, where she is currently President of the Board of Directors.
|
|
|
|
|
